Session ID without Hashing

In PHP 7.1, the session extension has been cleaned up and modernized. One notable change that has potential side effects on userland code is the generation of the session identifier: PHP no longer hashes the generated id string. This brought quite a substantial performance increase as the old hash based implementation is almost three times slower.

As a side effect of this change, the following ini settings are no longer required and got removed:

To not break the backwards compatibility with existing session handlers and storages, the length of the session id string remained the same. For stronger session id strings, the length as well as the bits used per character can be adjusted by using the following two new ini settings:

As cryptographically stronger session ids are always a good idea, using session.sid_length=48 and session.sid_bits_per_character=5 is the recommended setting. When compatibility with PHP 5 is needed, the default values – session.sid_length=32 and session.sid_bits_per_character=4 – should not be changed.